Monday, January 21, 2013

Backtrack Forensics: darkstat

Menu: Forensics -> Network Forensics
Directory: /pentest/sniffers/darkstat

darkstat is a network sniffer, which will collect usage statistics as a background process, and show it on a web interface. By default it will bind to pot 667.

Usage:

The most basic run, which probably enough in most of the time:
./darkstat -i eth0

On Backtrack (and Ubuntu) this will throw an error:

14359: error: getaddrinfo(NULL,667) failed: Name or service not known: Device or resource busy

There is a workaround, we can bind the server to 0.0.0.0, and it will work than
./darkstat -b 0.0.0.0 -i eth0

Some other useful option:
-p - bind to a specific port
-r file - open a pcap file, and make stats from that
--syslog - log to a syslog server
--no-macs - doesn't collect MAC address information


After that we need to open the web browser, and navigate to localhost:667. We will have two tabs, a graphs and a hosts. On the graphs we will see usage stats from the last minute, hour, day and month. On the hosts we will see visited sites stats, and we can sort it based on incoming, outgoing, total packets, and last seen time.



Official website: http://unix4lyfe.org/darkstat/

No comments: